Setting up ProtonVPN with Opnsense with Ease

Create your Aliases#

• Firewall → Aliases
  • RFC1918
    • Type: Networks
    • Content: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
  • VPNForwarding
    • Type: Networks
    • Content: The IP Subnets you want to forward: 192.168.53.23/32 (<- if you want a specific IP) or something like 192.168.0.0/12

Configure Wireguard#

• Wireguard Peer
  • VPN → WireGuard → Peers
    • Click + and configure the Instance:
      • Enabled: Checked
      • Name: ProtonVPN_Peer (or similar)
      • Public Key: Copy the PublicKey from the [Peer] section of your ProtonVPN .conf file.
      • Allowed IPs: 0.0.0.0/0 (and ::/0 for IPv6 if desired). This is what the VPN server expects, but we will control the routes on the OPNsense side.
      • Endpoint Address: Copy the server address (IP or hostname) from the [Peer] section.
      • Endpoint Port: Copy the port number from the [Peer] section.
      • Keepalive: 25 (Recommended)
      • Pre-shared Key: (Optional) Copy if provided by ProtonVPN (Usually not).
  • VPN → WireGuard → Instances
    • Click + and configure the Instance:
      • Enabled: Checked
      • Name: ProtonVPN_WG (or similar)
      • Private Key: Copy the PrivateKey from the [Interface] section of your ProtonVPN .conf file.
      • Public Key: Leave Empty (Will auto-populate after saving)
      • Tunnel Address: Copy the IP address/CIDR from the Address line in the [Interface] section (e.g., 10.x.x.x/32).
      • Peers: Select the Peer you created in Step 1 (ProtonVPN_Peer).
      • Disable Routes: ✓ CHECK THIS BOX. (This is essential for Policy-Based Routing/Selective Routing).

Assign WireGuard Interface and Gateway#

• Interfaces → Assignments
  • At the bottom, Select your wireguard Device and Add.
    • It should look something like wg0 (WireGuard - ProtonVPN_WG)
  • Then go to Interfaces → Wireguard Device [ProtonVPN_WG]
  • Enable Interface Checked and save.
• System → Gateway → Configuration
  • Click +
    • Name: Proton_VPN_GW (or similar).
    • Interface: Select the new WireGuard interface (WG_PROT_VPN).
    • Address Family: IPv4.
    • Gateway: Specify an IP address one number lower than your WireGuard Tunnel Address (e.g., if the tunnel address is 10.x.x.5/32, use 10.x.x.4). This is an arbitrary “Far Gateway” IP that OPNsense uses for routing.
      • Ignore the Far Gateway checkbox. Leave it unchecked.
    • Monitor IP: (Optional, but recommended for health check). You can use one of ProtonVPN’s DNS servers (e.g., 10.2.0.1 or 10.2.0.2 if provided in their config) or a public one like 1.1.1.1.
    • Disable Gateway Monitoring: ✓ Check this box (because the Monitor IP is not directly on the WireGuard subnet).

Firewall Rules#

• LAN interface Rule
  • Firewall → Rules → LAN or whatever your interface is called.
    • Action: Pass
    • Interface: OPT1 (or the interface where 192.168.3.0/24 resides)
    • Direction: In (ChatGPT told me Out, but this should be In)
    • TCP/IP Version: IPv4 (and add a separate rule for IPv6 if needed)
    • Protocol: Any
    • Source:
      • Source: **VPNForwarding** (Select the alias you created)
    • Destination:
      • Invert match: ✓ Check this box
      • Destination: **RFC1918** (This ensures local network traffic is not routed through the VPN, allowing communication with your other LAN subnets, printer, etc.)
    • Gateway: **Proton_VPN_GW** (Select the WireGuard gateway you created)
• Outgoing Rule
  • Firewall → NAT → Outbound. You’ll need to have Hybrid/Manual selected here.
    • Interface: **WG_PROT_VPN** (Select your WireGuard interface)
    • TCP/IP Version: IPv4
    • Protocol: Any
    • Source:
      • Source network: **VPNForwarding** (Select the alias you created)
    • Destination: Any (or if you want to be extremely specific, you can use **!RFC1918** to match the firewall rule, but Any is typically fine here).
    • Translation / Target: Interface address

Verify#

Verifiy that the IP is not your original IP.

https://whatismyip.com

Modifying list of clients using VPN.#

Go to Firewall -> Aliases and now you can modify VPNForwarding with whatever IPs you want to forward to your VPN.

You could even remove your current IP from the list to temporarily remove VPN if you want to see if your VPN is the reason why some sites don’t work.

Hopefully this guide is helpful. Thanks for reading!